Can't get rid of riskware

[loominarty]

Hello,

I recently started getting ads on my Chrome search results page so I decided to download and run MalwareBytes. I believe the scan does not show anything out of the ordinary, but the program detects riskware under the domain of "filterforte.com" every time I search for anything. I've tried disabling Chrome extensions, running my antivirus, running HitmanPro and even resetting the browser to default settings, but nothing has worked. I would very much appreciate if someone could help me out with this issue. I've followed the forum instructiMalwareBytes.txtons and ran the Farbar tool, logs which I'm attaching along with the initial scan's.

FRST.txt Addition.txt riskware.txt

[Maurice Naggar]

Hi       

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log. There will be more to do later.

[loominarty]

AdwCleaner.txt

[Maurice Naggar]

That is a good cleanup of adwares.  I would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications. ( P U A or P U P ).

 

I would suggest a free scan with the ESET Online Scanner. This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

 

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

 

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

 

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

 

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

 

Press Continue when all done.

You should decline the offer for “periodic scanning”. ( if offered)

 

Please make sure you attach the log report.   

[loominarty]

ESET.txt

[Maurice Naggar]

That removed a total of 16 files. 15 classified as potentially unwanted application + 1 tagged as potentially unsafe application.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.   This step is not a cure-all.  We have  more work to do later.  Stick with me.

[loominarty]

Hey Maurice. It's been almost 36 hours since the scan began and it is not even half-way there, is it crucial to have it done? It's been interfering with work and the noise really kept me up last night. If you tell me it's worth it I'll stop by the store and get some earplugs for tonight, so please let me know 😅. Thank you for your help up until now!

[Maurice Naggar]

The machine should not be "noisy", as long as the hardware is in normal good physical condition. Did you notice if the scan is past the C drive ?  Now then, if you must, you may click on the CANCEL button.  Before you do that though, see if you can jot down how far & to where it has scanned up to now.

Edited February 8, 2022 by Maurice Naggar

[loominarty]

It really isn't that noisy, it's just that I sleep particularly close to my PC 😅. The scan is still going through the C drive, stuck on some heavy software development programs. I'll probably let it finish, it would just be a waste of time otherwise. I'll let you know when I have the results!

[loominarty]

Here it is.

msert.log

[loominarty]

Don't mind the last message, this is the one:

msert.log

[Maurice Naggar]

This topic - thread is oinly for Loominarty, who is the originator.  Any one else posting here will be removed. I have split off the post by one such other person.

[Maurice Naggar]

Hello @loominarty  Thank you for the report from the Microsoft Safety scanner. It reports that there is no virus, trojan, or malware. How is the situation as to web browsers ?

[loominarty]

I'm afraid the issue persists. MalwareBytes is still blocking a website and disabling it makes ads appear on my search results. What else could I try? Thank you very much for your time.

[Maurice Naggar]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply

[loominarty]

mbst-grab-results.zip

[Maurice Naggar]

Hello @loominarty  Thank you for the report. I noticed 2 distinct IP addresses involved on the Block notice events by Malwarebytes web protection. 

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Loominarty  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.    It will rebuild the Winsock.  It will attempt to clear the cache for Chrome & Edge.  It will delete temporary file areas. 

NOTE-2: The main & major goal of this custom run is to put 2 IP addresses on the block section of the Windows firewall + to remove one extension on Chrome browser.

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder

Fixlist.txt           <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. 

[loominarty]

Hey Maurice. Here are the results for the script. Did a quick check afterwards and the issue is still being detected.

Fixlog.txt

[Maurice Naggar]

Start Chrome.

Look on the upper top right and click on the 3 dots ( or dashes) menu icon of Chrome ( top bar). 

Then click on More Tools > then click on EXTENSIONS.

 

Look for  the Ultimate Volume Booster Extension

then if you see on its right a blue color slider, click or slide it to the left so that it is dimmed to grey color ( turned off)

Then click on REMOVE with your mouse.

 

That ought to take care of it. Keep me advised.

[loominarty]

The issue has not been detected for 2 days now, seems like the problem is solved! Should have tried removing the extensions and not just disabling them from the start. Thank you very much for your help and time Maurice.

[Maurice Naggar]

Hi. That is good news. We are nearly done. 

This next is just a report to check on some Windows services  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

[    2    ]

I would recommend getting a readout report as to update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[loominarty]

FSS.txt SecurityCheck.txt

[Maurice Naggar]

Hello. Thank you for the reports. The Mozilla Firefox is out-of-date. Be sure to get the very latest release. See below the other action items listed by SecurityCheck. The goal is to have the latest updates / patches / releases.
--------------------------- [ OtherUtilities ] ----------------------------
LibreOffice 7.1.3.2 v.7.1.3.2   Warning! Download Update
Oracle VM VirtualBox 6.1.18 v.6.1.18   Warning! Download Update
NVIDIA GeForce Experience 3.24.0.126 v.3.24.0.126   Warning! Download Update
Microsoft Visual Studio Code (User) v.1.48.2   Warning! Download Update

Microsoft .NET Framework 1.1 v.1.1.4322   Warning! This software is no longer supported.

------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 6.02 (64-bit) v.6.02.0   Warning! Download Update
------------------------------- [ Imaging ] -------------------------------
GIMP 2.10.22 v.2.10.22   Warning! Download Update
-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.0.0.309   Warning! Download Update
Microsoft Teams v.1.4.00.2879 Warning! Download Update
--------------------------------- [ P2P ] ---------------------------------
BitTorrent v.7.10.5.46097   Warning! Ad-supported P2P-client.
-------------------------------- [ Media ] --------------------------------
Audacity 2.3.2 v.2.3.2   Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 86.0 (x64 es-ES) v.86.0   Warning! Download Update

---------------------------- [ UnwantedApps ] -----------------------------
Unity Web Player (x64) (All users) v.4.6.6f2   Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Wondershare Helper Compact 2.5.3 v.2.5.3   Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

[Maurice Naggar]

Hello. 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

Let me know when you have completed this.  We can wrap-up this case.

Sincerely,

Maurice

[loominarty]

Sorry Maurice, forgot to reply. I ran the tool and haven't had any issues since I removed the extension.